By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,278 Members | 1,359 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,278 IT Pros & Developers. It's quick & easy.

stripslashes() and htmlspecialchars() problem!

P: n/a
If $val is the following:

....Just revamped the site's Content Management Application I built.. so do
bear in mind.. sorry!

Phil
stripslashes(htmlspecialchars($val)) should produce the following, or so I
thought:

<input type=hidden name=alert value="...Just revamped the site's Content
Management Application I built.. so do bear in mind..
sorry!&lt;br&gt;&lt;br&gt;Phil">

Instead, I get:

<input type=hidden name=alert value="...Just revamped the site\'s Content
Management Application I built.. so do bear in mind.. sorry!

Phil">

What combo of stripslashes() and htmlspecialchars() do I use to ensure I get
a single-line entity from an HTML textarea value that could have anything in
it, plain and simple?

Phil
Jul 16 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
"Phil Powell" <so*****@erols.com> wrote in message
news:F1gWa.130$cf.29@lakeread04...
If $val is the following:

...Just revamped the site's Content Management Application I built.. so do
bear in mind.. sorry!

Phil
stripslashes(htmlspecialchars($val)) should produce the following, or so I
thought:

<input type=hidden name=alert value="...Just revamped the site's Content
Management Application I built.. so do bear in mind..
sorry!&lt;br&gt;&lt;br&gt;Phil">

Instead, I get:

<input type=hidden name=alert value="...Just revamped the site\'s Content
Management Application I built.. so do bear in mind.. sorry!

Phil">

What combo of stripslashes() and htmlspecialchars() do I use to ensure I get a single-line entity from an HTML textarea value that could have anything in it, plain and simple?

Phil


Hi Phil,

Just a guess (since this doesn't look like a complete code listing), but are
you picking up the return value, or are you trying to use the string as if
it were passed by reference? This worked for me as long as I displayed the
return value:

$dirty_string = 'Hello. <script
type="text/javascript">window.open("format_hdd.php");</script>';
$clean_string = stripslashes(htmlspecialchars($dirty_string));
echo $dirty_string, '<br />--Becomes--<br />', $clean_string;

Coming from Perl, I've made this mistake plenty in PHP.

HTH,
Zac
Jul 16 '05 #2

P: n/a
"Phil Powell" <so*****@erols.com> wrote in message
news:YFjWa.926$cf.849@lakeread04...
This ended up working for me instead:

foreach ($HTTP_GET_VARS as $key => $val)

if (!in_array($key, $cmaExceptionArray)) {
$val = str_replace("\n\r", '<br>', $val);
$val = str_replace("\n", '<br>', $val);
$val = str_replace("\r", '<br>', $val);
array_push($formQSDupArray, $key); // ADD HERE BEFORE YOU GO TO FORM
PART
echo "<input type=hidden name=$key value=\"" .
stripslashes(htmlentities($val, ENT_COMPAT)) . "\">\n";
}
}

Although I wish I could find a more elegant solution than that.


You can use nl2br to put in your own HTML breaks:

$val = nl2br($val);

This alleviates using three str_replace calls. However, if you want to
still use a replacement method (which drops newlines/returns), I use this
method:

$val = preg_replace('/\n(\r)?/', '<br />', $val);

It might make your code more readable if you do all of your filtering at
once using a function call:

function input_filter($input) {
return(
stripslashes(
htmlentities(
//Add a non-breaking space to sentence spaces.
preg_replace('/ {2}/', '&nbsp; ',
//Replace all newlines
// (with optional carriage returns)
// with <br /> tags.
preg_replace('/\n(\r)?/', '<br />', $input),
),
ENT_COMPAT
)
)
);
}

Then,

$val = input_filter($val);

This should "clean up" a little bit of the code within your loop. This
reduces string filtering to a single line of code, so all you're doing
otherwise is just your form tracking.

HTH,
Zac
Jul 16 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.